CVE-2024-1002 in N200REinfo

Summary

by MITRE • 01/29/2024

A vulnerability classified as critical was found in Totolink N200RE 9.3.5u.6139_B20201216. Affected by this vulnerability is the function setIpPortFilterRules of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ePort leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252271. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/21/2024

This critical vulnerability exists in the Totolink N200RE router firmware version 9.3.5u.6139_B20201216 and specifically affects the setIpPortFilterRules function within the /cgi-bin/cstecgi.cgi web interface component. The flaw manifests as a stack-based buffer overflow when processing the ePort argument, creating a dangerous condition that allows attackers to overwrite adjacent memory locations on the stack. This type of vulnerability falls under CWE-121 which describes stack-based buffer overflow conditions where insufficient bounds checking permits writing beyond the allocated buffer space. The attack vector is remote, meaning an unauthenticated attacker can exploit this vulnerability from outside the network without requiring physical access or prior authentication.

The technical implementation of this vulnerability involves the cgi-bin interface receiving user-supplied input through the ePort parameter and failing to properly validate or limit the input size before processing it within a stack-based buffer. When the input exceeds the allocated buffer capacity, the overflow can overwrite return addresses, function pointers, and other critical stack data structures. This creates opportunities for arbitrary code execution or complete system compromise, as attackers can manipulate the overwritten memory to redirect program execution flow. The vulnerability's classification as critical indicates the potential for severe impact including full system takeover, persistent backdoor installation, or denial of service conditions that could affect network connectivity for all connected devices.

The operational impact of this vulnerability extends beyond simple exploitation to encompass broader network security implications. Given that this is a router-level vulnerability affecting network infrastructure, successful exploitation could allow attackers to gain complete administrative control over the device, potentially enabling them to modify network settings, intercept traffic, or establish persistent access points for further attacks. The fact that this vulnerability has been publicly disclosed and has an associated VDB-252271 identifier suggests that exploit code may already be available in the wild, increasing the risk of active exploitation. Network security teams should consider this vulnerability as part of the ATT&CK framework's initial access tactics, specifically targeting network infrastructure devices through remote code execution vulnerabilities. The lack of vendor response to early disclosure attempts compounds the risk, as users have no assurance of receiving timely patches or security updates to address this critical flaw.

Mitigation strategies should prioritize immediate network segmentation and monitoring of affected devices, as well as implementing network-based intrusion detection systems to detect exploitation attempts. Organizations should consider disabling unnecessary web interfaces on the affected routers until a patch is available, and network administrators should implement strict access controls and monitoring for the /cgi-bin/cstecgi.cgi endpoint. The vulnerability demonstrates the importance of firmware security testing and vendor communication, as the lack of response from Totolink creates a dangerous gap in security coverage for affected users. Security professionals should also consider this vulnerability as a potential indicator of broader firmware security issues that may exist in similar router models or vendor products, warranting comprehensive security assessments of all network infrastructure devices.

Responsible

VulDB

Reservation

01/29/2024

Disclosure

01/29/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.01250

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!